Hello everybody. I could not find an answer to my problem in the archive. (But that may just be me :-) ) I have a problem with proxy arp and connection from loc (localnet) and from the firewall. Works fine from internet to dmz / proxy arp and vise versa. I have a feeling the solution is simple, but I''m no guru in Linux routing etc. The problem seems to be the routing setup. loc - 10.0.0.0/24 net - 194.19.34.96/27 dmz - 10.0.10.0/24 There are different server on the DMZ via proxy arp and the all respond the same. One of the servers are 194.19.34.115. If I ping this from "loc", tcpdump on the firewall gives response like this: 13:50:25.613750 00:0f:3d:eb:d8:a9 > 00:0d:60:33:f9:da, ethertype IPv4 (0x0800), length 74: IP (tos 0x0, ttl 127, id 23932, offset 0, flags [none], proto 1, length: 60) 10.0.0.50 > 194.19.34.115: icmp 40: echo request seq 13824 No reply tcpdump on 115 shows: 13:45:16.266643 00:0f:3d:eb:d8:a9 > 00:0d:60:33:f9:da, ethertype IPv4 (0x0800), length 74: IP (tos 0x0, ttl 127, id 24603, offset 0, flags [none], proto 1, length: 60) 10.0.0.50 > 194.19.34.115: icmp 40: echo request seq 14080 from fw to 115 gives: 13:52:46.143013 00:0f:3d:eb:d8:a9 > 00:0d:60:33:f9:da, ethertype IPv4 (0x0800), length 98: IP (tos 0x0, ttl 64, id 5, offset 0, flags [DF], proto 1, length: 84) 10.0.10.1 > 194.19.34.115: icmp 64: echo request seq 5 No reply>From the internet it works fine:13:49:51.961554 00:0d:60:33:f9:da > 00:0f:3d:eb:d8:a9, ethertype IPv4 (0x0800), length 74: IP (tos 0x0, ttl 64, id 46328, offset 0, flags [none], proto 1, length: 60) 194.19.34.115 > 217.8.138.87: icmp 40: echo reply seq 0 13:49:52.961112 00:0f:3d:eb:d8:a9 > 00:0d:60:33:f9:da, ethertype IPv4 (0x0800), length 74: IP (tos 0x0, ttl 120, id 12656, offset 0, flags [none], proto 1, length: 60) 217.8.138.87 > 194.19.34.115: icmp 40: echo request seq 0 I can also ping between server on the dmz (with internet IP), but this of course doesn''t go through the fw/shorewall. Any ideas? It doesn''t seem to be a blocking problem. I have put all rules /policy''s to ACCEPT to try that. Some configuration: shorewall version 2.2.4 194.19.34.126 dev eth1 scope link 194.19.34.125 dev eth1 scope link 255.255.255.255 dev eth2 scope link 194.19.34.105 dev eth1 scope link 194.19.34.100 dev eth1 scope link 194.19.34.98 dev eth1 scope link 194.19.34.115 dev eth1 scope link 194.19.34.99 dev eth1 scope link 194.19.34.96/27 dev eth0 proto kernel scope link src 194.19.34.110 10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.1 10.0.10.0/24 dev eth1 proto kernel scope link src 10.0.10.1 169.254.0.0/16 dev eth2 scope link default via 194.19.34.97 dev eth0 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 5: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 1000 link/ether 00:0f:3d:eb:d8:aa brd ff:ff:ff:ff:ff:ff inet 194.19.34.110/27 brd 194.19.34.127 scope global eth0 inet6 fe80::20f:3dff:feeb:d8aa/64 scope link valid_lft forever preferred_lft forever 6: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0f:3d:eb:d8:a9 brd ff:ff:ff:ff:ff:ff inet 10.0.10.1/24 brd 10.0.10.255 scope global eth1 inet6 fe80::20f:3dff:feeb:d8a9/64 scope link valid_lft forever preferred_lft forever 7: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:11:25:aa:78:ea brd ff:ff:ff:ff:ff:ff inet 10.0.0.1/24 brd 10.0.0.255 scope global eth2 inet6 fe80::211:25ff:feaa:78ea/64 scope link valid_lft forever preferred_lft forever 8: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 /etc/shorewall/proxyarp ############################################################################ ## #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 194.19.34.115 eth1 eth0 NO /etc/shorewall/interface ############################################################################ ## #ZONE INTERFACE BROADCAST OPTIONS # net eth0 detect norfc1918 loc eth2 detect dhcp dmz eth1 detect Kind regards, Kristian.
Alexander Wilms
2005-May-30 18:42 UTC
Re: Proxy ARP working from Internet but not from fw and loc
On Monday 30 May 2005 17:01, Kristian wrote: Hi Kristian, just a quick guess: Do you have the correct route on your servers back to the 10.0.0.0/24 network? I don''t have the time now to read your post carefully. Please check your routing and maybe post your servers routing table. If it doesn''t help I will take a closer look. Alex> Hello everybody. > > I could not find an answer to my problem in the archive. (But that may just > be me :-) ) > > I have a problem with proxy arp and connection from loc (localnet) and from > the firewall. > Works fine from internet to dmz / proxy arp and vise versa. > > I have a feeling the solution is simple, but I''m no guru in Linux routing > etc. > > The problem seems to be the routing setup. > > loc - 10.0.0.0/24 > net - 194.19.34.96/27 > dmz - 10.0.10.0/24 > > There are different server on the DMZ via proxy arp and the all respond the > same. > > One of the servers are 194.19.34.115. > > If I ping this from "loc", tcpdump on the firewall gives response like > this: 13:50:25.613750 00:0f:3d:eb:d8:a9 > 00:0d:60:33:f9:da, ethertype IPv4 > (0x0800), length 74: IP (tos 0x0, ttl 127, id 23932, offset 0, flags > [none], proto 1, length: 60) 10.0.0.50 > 194.19.34.115: icmp 40: echo > request seq 13824 > No reply > > tcpdump on 115 shows: > 13:45:16.266643 00:0f:3d:eb:d8:a9 > 00:0d:60:33:f9:da, ethertype IPv4 > (0x0800), length 74: IP (tos 0x0, ttl 127, id 24603, offset 0, flags > [none], proto 1, length: 60) 10.0.0.50 > 194.19.34.115: icmp 40: echo > request seq 14080 > > > from fw to 115 gives: > 13:52:46.143013 00:0f:3d:eb:d8:a9 > 00:0d:60:33:f9:da, ethertype IPv4 > (0x0800), length 98: IP (tos 0x0, ttl 64, id 5, offset 0, flags [DF], > proto 1, length: 84) 10.0.10.1 > 194.19.34.115: icmp 64: echo request seq 5 > No reply > > >From the internet it works fine: > > 13:49:51.961554 00:0d:60:33:f9:da > 00:0f:3d:eb:d8:a9, ethertype IPv4 > (0x0800), length 74: IP (tos 0x0, ttl 64, id 46328, offset 0, flags > [none], proto 1, length: 60) 194.19.34.115 > 217.8.138.87: icmp 40: echo > reply seq 0 13:49:52.961112 00:0f:3d:eb:d8:a9 > 00:0d:60:33:f9:da, > ethertype IPv4 (0x0800), length 74: IP (tos 0x0, ttl 120, id 12656, offset > 0, flags [none], proto 1, length: 60) 217.8.138.87 > 194.19.34.115: icmp > 40: echo request seq 0 > > I can also ping between server on the dmz (with internet IP), but this of > course doesn''t go through the fw/shorewall. > > Any ideas? > > It doesn''t seem to be a blocking problem. > I have put all rules /policy''s to ACCEPT to try that. > > Some configuration: > > shorewall version > 2.2.4 > > 194.19.34.126 dev eth1 scope link > 194.19.34.125 dev eth1 scope link > 255.255.255.255 dev eth2 scope link > 194.19.34.105 dev eth1 scope link > 194.19.34.100 dev eth1 scope link > 194.19.34.98 dev eth1 scope link > 194.19.34.115 dev eth1 scope link > 194.19.34.99 dev eth1 scope link > 194.19.34.96/27 dev eth0 proto kernel scope link src 194.19.34.110 > 10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.1 > 10.0.10.0/24 dev eth1 proto kernel scope link src 10.0.10.1 > 169.254.0.0/16 dev eth2 scope link > default via 194.19.34.97 dev eth0 > > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 5: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 1000 > link/ether 00:0f:3d:eb:d8:aa brd ff:ff:ff:ff:ff:ff > inet 194.19.34.110/27 brd 194.19.34.127 scope global eth0 > inet6 fe80::20f:3dff:feeb:d8aa/64 scope link > valid_lft forever preferred_lft forever > 6: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:0f:3d:eb:d8:a9 brd ff:ff:ff:ff:ff:ff > inet 10.0.10.1/24 brd 10.0.10.255 scope global eth1 > inet6 fe80::20f:3dff:feeb:d8a9/64 scope link > valid_lft forever preferred_lft forever > 7: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:11:25:aa:78:ea brd ff:ff:ff:ff:ff:ff > inet 10.0.0.1/24 brd 10.0.0.255 scope global eth2 > inet6 fe80::211:25ff:feaa:78ea/64 scope link > valid_lft forever preferred_lft forever > 8: sit0: <NOARP> mtu 1480 qdisc noop > link/sit 0.0.0.0 brd 0.0.0.0 > > > /etc/shorewall/proxyarp > ########################################################################### ># ## > #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT > 194.19.34.115 eth1 eth0 NO > > > /etc/shorewall/interface > ########################################################################### ># ## > #ZONE INTERFACE BROADCAST OPTIONS > # > net eth0 detect norfc1918 > loc eth2 detect dhcp > dmz eth1 detect > > > Kind regards, > Kristian. > > > > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Jerry Vonau
2005-May-30 20:45 UTC
Re: Proxy ARP working from Internet but not from fw and loc
> Hello everybody. > > I could not find an answer to my problem in the archive. (But thatmay just> be me :-) ) > > I have a problem with proxy arp and connection from loc (localnet)and from> the firewall. > Works fine from internet to dmz / proxy arp and vise versa. > > I have a feeling the solution is simple, but I''m no guru in Linuxrouting> etc. > > The problem seems to be the routing setup. > > loc - 10.0.0.0/24 > net - 194.19.34.96/27 > dmz - 10.0.10.0/24 > > There are different server on the DMZ via proxy arp and the allrespond the> same. > > One of the servers are 194.19.34.115. > > If I ping this from "loc", tcpdump on the firewall gives responselike this:> 13:50:25.613750 00:0f:3d:eb:d8:a9 > 00:0d:60:33:f9:da, ethertypeIPv4> (0x0800), length 74: IP (tos 0x0, ttl 127, id 23932, offset 0, flags[none],> proto 1, length: 60) 10.0.0.50 > 194.19.34.115: icmp 40: echorequest seq> 13824 > No reply > > tcpdump on 115 shows: > 13:45:16.266643 00:0f:3d:eb:d8:a9 > 00:0d:60:33:f9:da, ethertypeIPv4> (0x0800), length 74: IP (tos 0x0, ttl 127, id 24603, offset 0, flags[none],> proto 1, length: 60) 10.0.0.50 > 194.19.34.115: icmp 40: echorequest seq> 14080 > > > from fw to 115 gives: > 13:52:46.143013 00:0f:3d:eb:d8:a9 > 00:0d:60:33:f9:da, ethertypeIPv4> (0x0800), length 98: IP (tos 0x0, ttl 64, id 5, offset 0, flags[DF], proto> 1, length: 84) 10.0.10.1 > 194.19.34.115: icmp 64: echo request seq5> No reply > > >From the internet it works fine: > 13:49:51.961554 00:0d:60:33:f9:da > 00:0f:3d:eb:d8:a9, ethertypeIPv4> (0x0800), length 74: IP (tos 0x0, ttl 64, id 46328, offset 0, flags[none],> proto 1, length: 60) 194.19.34.115 > 217.8.138.87: icmp 40: echoreply seq 0> 13:49:52.961112 00:0f:3d:eb:d8:a9 > 00:0d:60:33:f9:da, ethertypeIPv4> (0x0800), length 74: IP (tos 0x0, ttl 120, id 12656, offset 0, flags[none],> proto 1, length: 60) 217.8.138.87 > 194.19.34.115: icmp 40: echorequest seq> 0 > > I can also ping between server on the dmz (with internet IP), butthis of> course doesn''t go through the fw/shorewall. > > Any ideas? > > It doesn''t seem to be a blocking problem. > I have put all rules /policy''s to ACCEPT to try that. > > Some configuration: > > shorewall version > 2.2.4 > > 194.19.34.126 dev eth1 scope link > 194.19.34.125 dev eth1 scope link > 255.255.255.255 dev eth2 scope link > 194.19.34.105 dev eth1 scope link > 194.19.34.100 dev eth1 scope link > 194.19.34.98 dev eth1 scope link > 194.19.34.115 dev eth1 scope link > 194.19.34.99 dev eth1 scope link > 194.19.34.96/27 dev eth0 proto kernel scope link src194.19.34.110> 10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.1 > 10.0.10.0/24 dev eth1 proto kernel scope link src 10.0.10.1 > 169.254.0.0/16 dev eth2 scope link > default via 194.19.34.97 dev eth0 > > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 5: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 1000 > link/ether 00:0f:3d:eb:d8:aa brd ff:ff:ff:ff:ff:ff > inet 194.19.34.110/27 brd 194.19.34.127 scope global eth0 > inet6 fe80::20f:3dff:feeb:d8aa/64 scope link > valid_lft forever preferred_lft forever > 6: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen1000> link/ether 00:0f:3d:eb:d8:a9 brd ff:ff:ff:ff:ff:ff > inet 10.0.10.1/24 brd 10.0.10.255 scope global eth1 > inet6 fe80::20f:3dff:feeb:d8a9/64 scope link > valid_lft forever preferred_lft forever > 7: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen1000> link/ether 00:11:25:aa:78:ea brd ff:ff:ff:ff:ff:ff > inet 10.0.0.1/24 brd 10.0.0.255 scope global eth2 > inet6 fe80::211:25ff:feaa:78ea/64 scope link > valid_lft forever preferred_lft forever > 8: sit0: <NOARP> mtu 1480 qdisc noop > link/sit 0.0.0.0 brd 0.0.0.0 > > > /etc/shorewall/proxyarp >###################################################################### ######> ## > #ADDRESS INTERFACE EXTERNAL HAVEROUTEPERSISTENT> 194.19.34.115 eth1 eth0 NO > > > /etc/shorewall/interface >###################################################################### ######> ## > #ZONE INTERFACE BROADCAST OPTIONS > # > net eth0 detect norfc1918 > loc eth2 detect dhcp > dmz eth1 detect > > > Kind regards, > Kristian. >Ok here is what I think is happening. Traffic bound for the dmz from loc need''s to be masq''d. dmz uses public ip, but interface has private ip. no route to public dmz. Change the dmz interface''s ip to be the same as the net one as found here: http://www.shorewall.net/ProxyARP.htm Might have to add to the masq file: eth1 eth2 Jerry Vonau
Maybe Matching Threads
- RE: Proxy ARP working from Internet butnotfromfwand loc
- I have a problem similar to FAQ 2 scenario, but reply packets don''t seem to be recognized.
- Can I pass 802.1q (VLAN tagged) through a VPN Tinc in HUB/Switch mode?.
- [Bridge] Unexpected bridge behavior (Bug? You decide.)
- Packet corruption in re0